Can't authenticate personal Microsoft account against Azure DevOps using MSAL

Question

I'm trying to setup authentication against Azure DevOps using MSAL. I've followed Microsoft's sample but I can't get it to work with personal Microsoft accounts. Whenever I try to login with a personal account I get the following error:

This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin.

In the sample I have only changed ida:Tenant to "common" and ida:ClientId to my application id. I've setup my App Registration by following the guide in the sample except for the "Supported account types" which I've set to:

All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.

What am I doing wrong or missing?

Answer 1

When configuring the application to use your app registration, you need also find the key ado:OrganizationUrl and replace the existing value to the URL of your Azure DevOps organization. Please note: This must use HTTPS. As it mentioned in Configure the application to use your app registration .

If you already replaced the ado:OrganizationUrl , you may have a try to change the Supported account types back to "Accounts in this organizational directory only" to see if it works for troubleshooting.

Answer 2

I spent a little bit time to get the samples working and the key steps required to accomplish this are:

1. the Microsoft personal account need to be added to an Azure active directory tenant. As MSAL uses Azure AD as a fundamental infrastructure.

https://learn.microsoft.com/en-us/answers/questions/228067/invite-or-add-personal-ms-account-to-azure-ad.html

2. Link the Azure Ad tenant (with the Microsoft personal account) to the Azure DevOps service Instance. https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops

To complete the sample, I used my MS personal account to sign up a free Azure account (so that I can test the Azure AD stuff), and used the same account to request a free Azure devops service account.

Thanks

Answer 3

In your question you mention: "I'm trying to setup authentication against Azure DevOps using MSAL. "

So, the goal is to let Microsoft Account users logon to some part of Azure DevOps using MSAL? I'm curious what the exact use case is, but let's assume I understand you correctly.

The first thing that comes in mind is, are those users already invited to the AzDo organization? Please read here how to do this.

Doing this will add them to the Active Directory as a guest like this:

Alternatively if you just want to invite these users to Azure, please use the invite from: https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers

Answer 4

This site suggests this error occurs when the user doesn't have multi-factor authentication setup. You may need to have your Microsoft account setup with MFA.